---
title: Force password reset on next login
sidebar_label: Password reset on login
---

You can require users to reset their password on their next login, using expression policies, custom stages, and a custom user attribute. This guide explains how to configure this with the `default-authentication-flow`; however, the same steps apply to any authentication flow.

Configuring forced password reset on next login involves the following steps:

    1. Creating two expression policicies.
    2. Creating and binding two stages to the active authentication flow.
    3. Binding the expression policies to the stages.
    4. Setting a custom user attribute which triggers the password prompt.

## Create expression policies

You'll need to create two expression policies; one that checks the value of a custom user attribute on the user account attempting to log in, and another that resets the value of the custom user attribute.

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Customization** > **Policies** and click **Create** to set up the first policy.
3. Select **Expression Policy** as the policy type, click **Next**, and configure the following settings:
    - **Name**: Provide a descriptive name for the policy (e.g. `reset_password_check`).
    - **Expression**:

        ```python
        # Check if the "reset_password" attribute set to true for the pending user
        if request.context["pending_user"].attributes.get("reset_password") == True:
            return True

        return False
        ```

4. Click **Finish** to save the first policy, then repeat the steps to create the second policy using the following settings:
    - **Name**: Provide a descriptive name for the policy (e.g. `reset_password_update`).
    - **Expression**:

        ```python
        # Check if the "reset_password" attribute is set to true for the pending user
        if request.context["pending_user"].attributes.get("reset_password") == True:
            # Reset the "reset_password" attribute to false to prevent forcing a password reset on next login
            request.context["pending_user"].attributes["reset_password"] = False
            return True

        return False
        ```

5. Click **Finish**.

## Create stages

You'll need to create two stages; a _Prompt stage_ to prompt the user to enter a new password, and a _User Write stage_ to update the user's account with the new password. Both stages will need to be bound to the active authentication flow, typically the `default-authentication-flow`.

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Flows and Stages** > **Flows** and click on the name of the active authentication flow, typically the `default-authentication-flow`.
3. Select the **Stage Bindings** tab and click **Create and bind stage**.
4. Select **Prompt Stage** as the stage type, click **Next**, and configure the following settings for the stage:
    - **Name**: Provide a descriptive name for the stage (e.g. `Force Password Reset Prompt Stage`).
    - Under **Fields**:
        - Click the `x` icon between **Available Fields** and **Selected Fields** to clear the selections.
        - Select `default-password-change-field-password` and `default-password-change-field-password-repeat`.
    - Under **Validation Policies**:
        - Click the `x` icon between **Available Policies** and **Selected Policies** to clear the selections.
        - _(Optional but recommended)_ Select `default-password-change-policy`.

:::tip
Optionally, you can create and add a text field to the prompt stage to inform users that they are required to reset their password. For more details on configuring this, refer to the [Prompt Stage documentation](../../add-secure-apps/flows-stages/stages/prompt/index.md).
:::

5. Click **Next** to create the stage and then configure the following settings for the binding:
    - **Order**: `25` or any number higher than the `default-authentication-password` stage order and lower than the `default-authentication-mfa-validation` stage order.
    - Leave the other settings as their default values.

6. Click **Finish** to create the binding and repeat the process for the second stage using the following settings:
    - **Stage type**: Select **User Write Stage** as the type.
    - **Name**: Provide a descriptive name for the stage (e.g. `Force Password Reset User Write Stage`).
    - Leave the other settings as their default values.

7. Click **Next** to create the stage and then configure the following settings for the binding:
    - **Order**: `26` or any number higher than the `Force Password Reset Prompt Stage` stage order and lower than the `default-authentication-mfa-validation` stage order.
    - Leave the other settings as their default values.

8. Click **Finish** to create the binding.

## Bind policies to stages

You will need to bind the previously created policies to the newly created stages. Specifically:

    - The `reset_password_check` policy needs to be bound to the `Force Password Reset Prompt Stage`.
    - The `reset_password_update` policy needs to be bound to the `Force Password Reset User Write Stage`.

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Flows and Stages** > **Flows** and click on the name of the active authentication flow, typically `default-authentication-flow`.
3. Select the **Stage Bindings** tab and click the arrow next to the newly created `Force Password Reset Prompt Stage` to expand it.
4. Click **Bind existing Policy / Group / User**.
5. Set **Policy** to `reset_password_check` and click **Create**.
6. Click the arrow next to the newly created `Force Password Reset User Write Stage` to expand it.
7. Click **Bind existing Policy / Group / User**.
8. Set **Policy** to `reset_password_update` and click **Create**.

## Set custom user attribute

To require a user to reset their password on next login, you will need to set a custom user attribute on their account.

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Directory** > **Users** and click the **Edit** icon of the user in question.
3. Add the following values to the user's attribute field:
    ```python
    reset_password: True
    ```
4. Click **Update**.

The next time the user logs in, they will be required to reset their password, and the `reset_password` attribute on their account will be set to `False`.
